Answer: Both may affect the way businesses determine what constitute appropriate security measures.
In February, Senators Joe Lieberman, Susan Collins, John D. Rockefeller IV, and Dianne Feinstein introduced the Cybersecurity Act of 2012. The intent of the Act is to give the Department of Homeland Security (DHS) additional power to set cyber security standards for private companies that operate the nation’s critical infrastructure. Simply speaking, the intent of the bill is to:
- Identify risk via cooperation between DHS and private corporations
- Protect critical infrastructure (although what exactly constitutes critical infrastructure is yet to be defined)
- Improve information sharing about security issues and events between DHS and private corporations
According to the Homeland Security Website: “The bill would authorize the Secretary of Homeland Security, together with the private sector, to determine cyber security performance requirements based upon the risk assessments. The performance requirements would cover critical infrastructure systems and assets whose disruption could result in severe degradation of national security, catastrophic economic damage, or the interruption of life-sustaining services sufficient to cause mass casualties or mass evacuations. The bill would only cover the most critical systems and assets in a given sector, and only if they are not already being appropriately secured.”
The website goes on, “Owners of “covered critical infrastructure” would have the flexibility to meet the cybersecurity performance requirements in the manner they deem appropriate. The private sector also would have the opportunity to develop and propose performance requirements for “covered critical infrastructure.”
In this regard, if this bill is passed, companies that operate anything that might be lumped into the category of critical infrastructure (i.e. financial, energy, food, medical, healthcare, etc.) may need to rethink their risk tolerance, security engineering methodologies and security operations practices. If your company does operate critical infrastructure, the Department of Homeland Security may soon police your security engineering efforts.
Coincidentally, the Insurance industry is also affecting how Security Admins determine appropriate security measures for their companies. Cyber insurance was created to protect the interests of companies in the event of a loss due to a variety of different issues including data breaches, cyber-extortion, content liability, penalties for civil actions resulting from failure to comply with a specific regulation, virus liability, cyber terrorism, loss of income due to hacking, DOS attacks, etc. While cyber insurance may be worthwhile, as those of us with homeowners or automobile Insurance know, insurance policies always contain a list of exclusions.
Cyber Insurance is no different. Notable exclusions can include such vague statements such as:
- Loss caused by an employee, officer, director, owner, independent contractors
- Failure to follow minimum required practices
- Failure to take reasonable security measures
Given that Security Admins are paid to take “reasonable” security measures, it’s hard to imagine how these exclusions will be interpreted in the event of a breach. Only an attorney can determine the actual impact of these exclusions. Ultimately, Security Admins are compelled to work with their legal department and other business areas to ensure that their Cyber Insurance policy provides coverage in the event of a breach. In this regard, insurance companies may influence your security engineering efforts, as well.
In a recent trade show, an attendee told me that his company was forced to purchase Cyber Insurance. When I asked him why, he indicated that one of his customers required Cyber Insurance as a condition of doing business with them. This customer understood that a prerequisite to determining which Cyber Insurance policy was appropriate was to involve business data owners who are best prepared to determine the risk associated with their area of interest. Many companies have recognized the value of including business areas and specifically data owners in security engineering planning.
The Cyber Security Act of 2012 and Cyber Insurance are two motivating factors which will encourage companies to better understand risk and tolerance, and foster cooperation between IT security and data owners.